CVE-2024-7143: 
Python vulnerability analysis and mitigation

A flaw was found in the Pulp package (CVE-2024-7143) affecting role-based access control (RBAC) object permissions. The vulnerability was discovered in August 2024 and affects the Pulp package and Red Hat Ansible Automation Platform. The issue occurs when an RBAC object in Pulp is set to assign permissions on its creation using the AutoAddObjPermsMixin functionality (NVD).

The vulnerability stems from the AutoAddObjPermsMixin implementation, specifically in the addrolesforobjectcreator method. When objects are created within a task, the current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch it. The vulnerability has been assigned a CVSS v3.1 base score of 8.3 (HIGH) by NVD and 6.7 (MEDIUM) by Red Hat (NVD, Red Hat Advisory).

The vulnerability results in incorrect permission assignments where all objects created in tasks will have their permissions assigned to the oldest user with task permissions, while the actual creating user receives no permissions. This can lead to unauthorized access to resources and potential privilege escalation issues (Red Hat Bugzilla).

Red Hat has addressed this vulnerability in Red Hat Ansible Automation Platform 2.4 for RHEL 8 and RHEL 9 through the security advisory RHSA-2024:6765. The fix includes updates to python3-pulpcore/python39-pulpcore packages (Red Hat Advisory).